Cybercriminals are baiting unsuspecting users with a fake Windows 11 upgrade laden with a malicious threat. This malicious threat is an infostealer called Inno Stealer, which targets browser data and cryptocurrency wallets.
The campaign with fake upgrade
At present, a campaign is active and relies on poisoning search results to advertise a website that mimics promotional pages for Windows 11 and infects users with information stealers.
- The attackers are targeting users who are eager to install Windows 11 and ready to approach third-party sites without going into the details about specifications or other security validations.
- They created a malicious website promoting the fake Windows 11 upgrade. This fake site uses official Microsoft logos and favicons, along with a Download Now button.
- The download is unavailable over TOR or VPN connections. If a visitor loads the malicious website through a direct connection, they receive an ISO file that hides the executable for the infostealer.
About Inno Stealer
The attackers behind this campaign have used a new malware named Inno Stealer due to its use of the Inno Setup Windows installer. It has no code similarities with any other known commodity or other stealers. It targets various web browsers and crypto wallets such as Chrome, Brave, Comodo, Opera, Vivaldi, Edge, 360 Browser, GeroWallet, BraveWallet, and GuildWallet.
- The loader file is the Windows 11 setup EXE added in the ISO, which dumps a temporary file named is-PN131[.]tmp and creates another TMP file where the loader writes data.
- The loader then spawns a new process with the help of Windows API that creates new processes, establishes persistence by adding an LNK file, and plants four files.
- Two of the dropped files are Windows Command Scripts used to disable Registry security, uninstall security products, delete the shadow volume, and add Defender exceptions.
- Additionally, the third file is a command execution utility that is executed with the highest system privileges. The last and the fourth file is a VBA script that is required to run dfl[.]cmd.
Conclusion
The buzz for newer OS versions is becoming an opportunity for cybercriminals to spread their infostealers. Thus, to stay protected, never download ISO files from unknown sources, especially for major OS upgrades. Users should visit the official site for getting the right information regarding the upgrade.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a7d8_shutterstock_1439856428.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/569d_shutterstock_540300232.jpg)
